Carriers have been addressing Internet security ever since they realized the public network exposed them to denial of service attacks and theft of policyholder information. Firewalls, intrusion detection, encryption, virus scanning, access management-all these tools are staples in carriers' IT operations.But what about insurance agencies? Carriers exchange customer data with agencies via the Internet daily, and agents regularly access policyholder data within carrier systems.
Insurance carriers have a vested interest in agency security, says Alvito Vaz, IT Manager, Drive Insurance from Progressive, Mayfield Village, Ohio.
"We may have our 'front door locked,' but we've given out thousands of keys to agencies that come through that door." If agencies don't adequately protect their systems, they can expose carriers to risks as well, he says.
Vaz is a member of group that developed "The Independent Agent's Guide to Systems Security," for the Agents Council for Technology (ACT)-part of the Independent Agents & Brokers of America Inc., Alexandria, Va.
A guide for agencies
The 37-page guide, which is available on ACT's Web site at www.independentagent.com/act, describes a day in the life of an agent-and the security threats that exist within that environment. The guide also suggests key actions for agency principals to consider to reduce their risks.
Key among those actions is access management, according to industry sources. For example, "when employees leave your agency, terminate their access immediately," says Chris Garson business IT director, Drive Insurance from Progressive. 'It sounds real simple, but the biggest risk is from people, not technology."
Indeed, training agency employees on the critical nature of security is a basic element of preventing breaches, says Jeff Yates, ACT executive director. "Agency principals also should have a system to monitor employees for compliance-as well as tools that monitor their networks."
Security is business issue, not a technology problem, says Vaz. "It's probably one of the biggest risk areas to the ongoing viability of an agency's business," he says. "And agency staff is the biggest exposure."
As a result, he says, employees should be educated about IT security. "Talk about security at staff meetings, and put procedures in place on how to manage I.D.s and passwords, he says.
Most agency owners are using many of the technology tools they need to protect their systems, he continues. For example, most have virus scanning software and firewalls.
What they may not realize however, are inadvertent risks they face, such as those that occur when an employee brings a wireless card into the office.
"If an agent or customer service representative brings a wireless card in and plugs it into their PC, they've just opened a big hole in your network for anyone else to get in," he says.
Agency principals should also consider getting an IT security audit, according to Vaz. "It will cost you a little bit of money, but . . . periodically you need to have a professional come in and look at your systems."
